Computer Network InfrastructureVulnerable to Windows 7 End of Life Status, Increasing Potential for Cyber Attacks

The FBI has observed cyber criminalstargeting computer network infrastructureafter an operating system achieves end of life status.

Computer Network InfrastructureVulnerable to Windows 7 End of Life Status, Increasing Potential for Cyber Attacks

Summary

The FBI has observed cyber criminalstargeting computer network infrastructureafter an operating system achieves end of life status. Continuing to use Windows 7 within an enterprise may provide cyber criminals access intocomputer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered. Microsoft and other industry professionals strongly recommend upgradingcomputer systems to an actively supported operating system.

Migrating to a new operating system can pose its own unique challenges, such as cost for new hardware and software and updating existing custom software. However, these challenges do not outweigh the loss of intellectual property and threats to an organization.

TLP:WHITE

TLP:WHITE

Threat Overview

  • On 14 January 2020, Microsoft endedsupportfor the Windows 7 operating system, which includes securityupdatesandtechnical supportunless certain customers purchasedan Extended Security Update (ESU) plan.The ESU plan is paid per-deviceand available for Windows 7 Professional and Enterprise versions, with an increasing price the longer a customer continues use. Microsoft will only offer the ESU plan until January 2023. Continued use of Windows 7 createsthe risk of cyber criminal exploitation of a computer system.
  • As of May 2019, an open source report indicated71 percent of Windows devices used in healthcare organizations ran an operating system that became unsupported in January 2020. Increasedcompromiseshave been observed in the healthcare industry when an operating system has achieved end of life status. After the Windows XP end of life on 28 April 2014,thehealthcare industry saw a large increaseof exposed records the following year.
  • Cyber criminals continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits.Microsoft released an emergency patch for its older operating systems,including Windows 7, after an information security researcher discovered the RDP vulnerability called BlueKeep in May 2019.Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the BlueKeep vulnerability. Cyber criminals often use misconfigured or improperlysecured RDP accesscontrolsto conduct cyber attacks. The xDedic Marketplace, taken down by law enforcement in 2019, flourishedby compromising RDP vulnerabilities around the world.
  • In 2017, roughly 98 percent of systems infected with WannaCry employed Windows 7 based operating systems. After Microsoft released a patch in March 2017 for the computer exploit used bythe WannaCry ransomware, many Windows 7 systems remained unpatched when the WannaCry attacks began in May 2017. With fewer customers able to maintain a patched Windows 7 systemafter its end of life, cyber criminals will continue to view Windows 7 as a soft target.

TLP:WHITE

TLP:WHITE

Recommendations

Defending against cyber criminals requiresa multilayered approach, including validation of current software employed on the computer network and validation of access controls and network configurations. Consideration should be given to:

  • Upgradingoperating systems to the latest supported version.
  • Ensuringanti-virus, spam filters, and firewalls are up to date, properly configured,and secure.
  • Auditingnetwork configurations and isolate computer systems that cannot be updated.
  • Auditingyour network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.

Reporting Notice

The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’sInternet Crime Complaint Center (IC3). Field office contacts can be identified at www.fbi.gov/contact-us/field-offices and IC3 at www.ic3.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.

Administrative Note

This product is marked TLP:WHITE. Subject to standard copyright rules, TLP:WHITEinformation may be distributed without restriction.